AffixIOAFFIXIO
Contact

Post-Quantum Migration

Post-Quantum Migration

Post-quantum migration is now a procurement conversation. Federal contractors face 2030 compliance pressure. Buyers should ask vendors for PQC roadmaps, ML-DSA support, and crypto-agility on long-lived proofs.

post-quantum migration checklistPQC procurementML-DSA FIPS 204harvest now decrypt later

At a glance

Algorithms
ML-DSA-65 (FIPS 204), ML-KEM (FIPS 203)
US deadline
Contractor PQC compliance by 31 Dec 2030
Threat
Harvest-now-decrypt-later on long-lived proofs
AffixIO
ML-DSA attestation on live API paths
Tool
/tools/pqc-verifier
Reviewed
12 July 2026

Post-quantum migration replaces classical signatures and key exchange with NIST-approved algorithms such as ML-DSA and ML-KEM so long-lived proofs remain verifiable after quantum-capable adversaries emerge.

Post-quantum migration moved from research to procurement language in 2025 and 2026. Federal contractors face 2030 compliance pressure. Any organisation issuing long-lived signatures on audit proofs should plan crypto-agility now, not at certificate expiry.

Why verification teams care

Age proofs, ticket credentials, and agent authorisation tokens may need to verify years after issuance. Harvest-now-decrypt-later adversaries capture encrypted traffic today to decrypt after quantum-capable systems arrive. Signing with NIST-approved post-quantum algorithms at issuance reduces long-term repudiation risk.

Procurement questions to ask vendors

  1. Which NIST-approved PQC algorithms are in production endpoints, not roadmap slides?
  2. Is post-quantum attestation included at no extra cost or gated behind enterprise tiers?
  3. How are long-lived signatures on audit proofs and credentials protected?
  4. What is the crypto-agility plan if standards evolve beyond ML-DSA and ML-KEM?
  5. Can we verify attestations independently without vendor admin access?
  6. Does TLS termination use hybrid classical plus PQC where browsers support it?
  7. How do you handle backward compatibility for proofs issued before migration?
  8. Where is the public verification tool or OpenAPI attestation path documented?

Algorithms in scope

StandardPurposeAffixIO status
ML-DSA (FIPS 204)Post-quantum signaturesAffixIO attestation on live API paths
ML-KEM (FIPS 203)Post-quantum key exchangeTLS and key encapsulation layers
Classical ECDSA/RSALegacy signaturesMigrate long-lived proofs before 2030

AffixIO ships ML-DSA-65 attestation on supported endpoints. Verify signatures in the PQC verifier. Read the PQC field note and procurement pack.

Frequently asked questions

Do we need PQC for age checks?

Any proof that must verify years later should use quantum-safe signatures.

Is TLS enough?

TLS protects in transit. Long-lived proofs and audit artefacts need PQC signatures at issuance.

Do we need PQC for age checks?

Any proof that must verify years later should use quantum-safe signatures at issuance.

Is TLS 1.3 enough?

TLS protects in transit. Long-lived proofs and audit artefacts need PQC signatures at issuance.

What is ML-DSA-65?

A NIST FIPS 204 parameter set used on AffixIO attestation paths.

Can we dual-sign during migration?

Yes. Crypto-agility plans often dual-publish classical and PQC signatures during transition.

Where is the US federal deadline?

Contractor PQC compliance trajectory targets 31 December 2030 under current executive order guidance.